strimzi · katheris · Mar 13, 2025 · Mar 17, 2025 · Jul 30, 2025 · Aug 13, 2025
diff --git a/.checkstyle/import-control.xml b/.checkstyle/import-control.xml
@@ -32,6 +32,7 @@ We also control imports only in production classes and not in tests. This is con
         <allow pkg="com.fasterxml.jackson" />
         <allow pkg="io.fabric8.zjsonpatch" />
         <allow pkg="io.fabric8.kubernetes.api.model" />
+        <allow pkg="io.fabric8.certmanager.api.model" />
         <allow class="io.fabric8.kubernetes.client.utils.Serialization" />
         <allow class="io.fabric8.kubernetes.client.CustomResource" />
 
@@ -59,6 +60,7 @@ We also control imports only in production classes and not in tests. This is con
         <allow pkg="io.fabric8.zjsonpatch" />
         <allow pkg="io.fabric8.openshift.api.model" />
         <allow pkg="io.fabric8.kubernetes.api.model" />
+        <allow pkg="io.fabric8.certmanager.api.model" />
         <allow pkg="io.vertx.core.json" />
         <allow class="edu.umd.cs.findbugs.annotations.SuppressFBWarnings" />
 
@@ -68,6 +70,7 @@ We also control imports only in production classes and not in tests. This is con
         <allow pkg="io.strimzi.platform" />
         <allow pkg="io.strimzi.certs" />
         <allow pkg="io.strimzi.kafka.config.model" />
+        <allow pkg="io.strimzi.operator.common.auth" />
         <allow pkg="io.strimzi.operator.common.model" />
         <allow pkg="io.strimzi.operator.cluster.model" />
         <allow class="io.strimzi.operator.common.Reconciliation" />

diff --git a/api/src/main/java/io/strimzi/api/kafka/model/common/CertificateAuthority.java b/api/src/main/java/io/strimzi/api/kafka/model/common/CertificateAuthority.java
@@ -6,6 +6,7 @@
 
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import io.strimzi.api.kafka.model.common.certmanager.CertManager;
 import io.strimzi.crdgenerator.annotations.Description;
 import io.strimzi.crdgenerator.annotations.Minimum;
 import io.sundr.builder.annotations.Buildable;
@@ -23,8 +24,8 @@
         builderPackage = Constants.FABRIC8_KUBERNETES_API
 )
 @JsonInclude(JsonInclude.Include.NON_DEFAULT)
-@JsonPropertyOrder({ "generateCertificateAuthority", "generateSecretOwnerReference", "validityDays",
-    "renewalDays", "certificateExpirationPolicy" })
+@JsonPropertyOrder({ "generateCertificateAuthority", "type", "generateSecretOwnerReference", "validityDays",
+    "renewalDays", "certificateExpirationPolicy", "certManager" })
 @EqualsAndHashCode
 @ToString
 public class CertificateAuthority implements UnknownPropertyPreserving {
@@ -33,9 +34,11 @@ public class CertificateAuthority implements UnknownPropertyPreserving {
 
     private int validityDays;
     private boolean generateCertificateAuthority = true;
+    private CertificateManagerType type = CertificateManagerType.STRIMZI_IO;
     private boolean generateSecretOwnerReference = true;
     private int renewalDays;
     private CertificateExpirationPolicy certificateExpirationPolicy;
+    private CertManager certManager;
     private Map<String, Object> additionalProperties;
 
     @Description("The number of days generated certificates should be valid for. The default is 365.")
@@ -61,6 +64,18 @@ public void setGenerateCertificateAuthority(boolean generateCertificateAuthority
         this.generateCertificateAuthority = generateCertificateAuthority;
     }
 
+    @Description("The type of certificate manager. " +
+            "The available types are `strimzi.io` and `cert-manager.io`. " +
+            "Default is `strimzi.io`")
+    @JsonInclude(JsonInclude.Include.NON_DEFAULT)
+    public CertificateManagerType getType() {
+        return type;
+    }
+
+    public void setType(CertificateManagerType type) {
+        this.type = type;
+    }
+
     @Description("If `true`, the Cluster and Client CA Secrets are configured with the `ownerReference` set to the `Kafka` resource. " +
             "If the `Kafka` resource is deleted when `true`, the CA Secrets are also deleted. " +
             "If `false`, the `ownerReference` is disabled. " +
@@ -100,6 +115,16 @@ public void setCertificateExpirationPolicy(CertificateExpirationPolicy certifica
         this.certificateExpirationPolicy = certificateExpirationPolicy;
     }
 
+    @Description("Configuration for using cert-manager to issue certificates. " +
+            "This only applies if the CA type is set to `cert-manager.io`.")
+    public CertManager getCertManager() {
+        return certManager;
+    }
+
+    public void setCertManager(CertManager certManager) {
+        this.certManager = certManager;
+    }
+
     @Override
     public Map<String, Object> getAdditionalProperties() {
         return this.additionalProperties != null ? this.additionalProperties : Map.of();

diff --git a/api/src/main/java/io/strimzi/api/kafka/model/common/CertificateManagerType.java b/api/src/main/java/io/strimzi/api/kafka/model/common/CertificateManagerType.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.api.kafka.model.common;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * Defines values for the spec.clusterCa/clientsCa.type field
+ */
+public enum CertificateManagerType {
+    STRIMZI_IO,
+    CERT_MANAGER_IO;
+
+    @JsonCreator
+    public static CertificateManagerType forValue(String value) {
+        switch (value) {
+            case "strimzi.io":
+                return STRIMZI_IO;
+            case "cert-manager.io":
+                return CERT_MANAGER_IO;
+            default:
+                return null;
+        }
+    }
+
+    @JsonValue
+    public String toValue() {
+        switch (this) {
+            case STRIMZI_IO:
+                return "strimzi.io";
+            case CERT_MANAGER_IO:
+                return "cert-manager.io";
+            default:
+                return null;
+        }
+    }
+}
diff --git a/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/CaCertRef.java b/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/CaCertRef.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.api.kafka.model.common.certmanager;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import io.strimzi.api.kafka.model.common.Constants;
+import io.strimzi.api.kafka.model.common.UnknownPropertyPreserving;
+import io.strimzi.crdgenerator.annotations.Description;
+import io.sundr.builder.annotations.Buildable;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Description("Reference to the Secret containing the CA certificate (public key) " +
+        "that trusts certificates issued by cert-manager. " +
+        "This only applies if the CA type is set to `cert-manager.io`.")
+@Buildable(
+        editableEnabled = false,
+        builderPackage = Constants.FABRIC8_KUBERNETES_API
+)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonPropertyOrder({ "secretName", "certificate" })
+@EqualsAndHashCode
+@ToString
+public class CaCertRef implements UnknownPropertyPreserving {
+    private String secretName;
+    private String certificate;
+    private Map<String, Object> additionalProperties;
+
+    @Description("The name of the Secret. " +
+            "Required.")
+    public String getSecretName() {
+        return secretName;
+    }
+
+    public void setSecretName(String secretName) {
+        this.secretName = secretName;
+    }
+
+    @Description("The name of the file certificate in the Secret." +
+            "Required.")
+    public String getCertificate() {
+        return certificate;
+    }
+
+    public void setCertificate(String certificate) {
+        this.certificate = certificate;
+    }
+
+    @Override
+    public Map<String, Object> getAdditionalProperties() {
+        return this.additionalProperties != null ? this.additionalProperties : Map.of();
+    }
+
+    @Override
+    public void setAdditionalProperty(String name, Object value) {
+        if (this.additionalProperties == null) {
+            this.additionalProperties = new HashMap<>(2);
+        }
+        this.additionalProperties.put(name, value);
+    }
+}
diff --git a/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/CertManager.java b/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/CertManager.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.api.kafka.model.common.certmanager;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import io.strimzi.api.kafka.model.common.Constants;
+import io.strimzi.api.kafka.model.common.UnknownPropertyPreserving;
+import io.strimzi.crdgenerator.annotations.Description;
+import io.sundr.builder.annotations.Buildable;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Description("Configuration for using cert-manager to issue certificates. " +
+        "This only applies if the CA type is set to `cert-manager.io`.")
+@Buildable(
+        editableEnabled = false,
+        builderPackage = Constants.FABRIC8_KUBERNETES_API
+)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonPropertyOrder({ "issuerRef", "caCert" })
+@EqualsAndHashCode
+@ToString
+public class CertManager implements UnknownPropertyPreserving {
+    private IssuerRef issuerRef;
+    private CaCertRef caCert;
+    private Map<String, Object> additionalProperties;
+
+    @Description("Reference to the cert-manager issuer to use for issuing certificates. " +
+            "Required.")
+    public IssuerRef getIssuerRef() {
+        return issuerRef;
+    }
+
+    public void setIssuerRef(IssuerRef issuerRef) {
+        this.issuerRef = issuerRef;
+    }
+
+    @Description("Reference to the Secret containing the CA certificate (public key) " +
+            "that trusts certificates issued by cert-manager. " +
+            "Required.")
+    public CaCertRef getCaCert() {
+        return caCert;
+    }
+
+    public void setCaCert(CaCertRef caCert) {
+        this.caCert = caCert;
+    }
+
+    @Override
+    public Map<String, Object> getAdditionalProperties() {
+        return this.additionalProperties != null ? this.additionalProperties : Map.of();
+    }
+
+    @Override
+    public void setAdditionalProperty(String name, Object value) {
+        if (this.additionalProperties == null) {
+            this.additionalProperties = new HashMap<>(2);
+        }
+        this.additionalProperties.put(name, value);
+    }
+}
diff --git a/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/IssuerKind.java b/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/IssuerKind.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.api.kafka.model.common.certmanager;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+public enum IssuerKind {
+    ISSUER,
+    CLUSTER_ISSUER;
+
+    @JsonCreator
+    public static IssuerKind forValue(String value) {
+        switch (value) {
+            case "Issuer":
+                return ISSUER;
+            case "ClusterIssuer":
+                return CLUSTER_ISSUER;
+            default:
+                return null;
+        }
+    }
+
+    @JsonValue
+    public String toValue() {
+        switch (this) {
+            case ISSUER:
+                return "Issuer";
+            case CLUSTER_ISSUER:
+                return "ClusterIssuer";
+            default:
+                return null;
+        }
+    }
+}
diff --git a/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/IssuerRef.java b/api/src/main/java/io/strimzi/api/kafka/model/common/certmanager/IssuerRef.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.api.kafka.model.common.certmanager;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import io.strimzi.api.kafka.model.common.Constants;
+import io.strimzi.api.kafka.model.common.UnknownPropertyPreserving;
+import io.strimzi.crdgenerator.annotations.Description;
+import io.sundr.builder.annotations.Buildable;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Description("Reference to the cert-manager issuer for TLS certificates. " +
+        "This only applies if the CA type is set to `cert-manager.io`.")
+@Buildable(
+        editableEnabled = false,
+        builderPackage = Constants.FABRIC8_KUBERNETES_API
+)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonPropertyOrder({ "name", "kind", "group" })
+@EqualsAndHashCode
+@ToString
+public class IssuerRef implements UnknownPropertyPreserving {
+    private String name;
+    private IssuerKind kind;
+    private String group = "cert-manager.io";
+    private Map<String, Object> additionalProperties;
+
+    @Description("The name of the cert-manager issuer. " +
+            "Required.")
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    @Description("The kind of the cert-manager issuer. " +
+            "Must be either `Issuer` or `ClusterIssuer`. " +
+            "Required.")
+    public IssuerKind getKind() {
+        return kind;
+    }
+
+    public void setKind(IssuerKind kind) {
+        this.kind = kind;
+    }
+
+    @Description("The group of the cert-manager issuer. " +
+            "Default is `cert-manager.io`.")
+    @JsonInclude(JsonInclude.Include.NON_DEFAULT)
+    public String getGroup() {
+        return group;
+    }
+
+    public void setGroup(String group) {
+        this.group = group;
+    }
+
+    @Override
+    public Map<String, Object> getAdditionalProperties() {
+        return this.additionalProperties != null ? this.additionalProperties : Map.of();
+    }
+
+    @Override
+    public void setAdditionalProperty(String name, Object value) {
+        if (this.additionalProperties == null) {
+            this.additionalProperties = new HashMap<>(2);
+        }
+        this.additionalProperties.put(name, value);
+    }
+}